The story goes that the smart phone in your pocket has more power than the computers used to put the first man on the moon. And it’s not just legend; its true. The computers used by NASA had a memory capacity of 4 kilobytes. The standard smart phone has 64 gigabytes or 63,996,000 more bytes of data capacity.
The technological advances made in the past 45 years have been amazing. The changes in the last 10 years alone have been exponential. Unfortunately for every advancement there are those that will use this technology for criminal purposes.
It is the responsibility of a business to protect the privacy, personal data and other valuable information collected from individuals or corporations. This data includes social security numbers, dates of birth, customer lists, financial records, receipts, legal documents, intellectual property, trade secrets and emails, all of which has great value to individuals and businesses.
I am sure many of you recall the massive date breach that occurred in 2007 to TJ Maxx credit card holders and this past summer’s computer system breach at SONY Pictures. But there are thousands of less publicized and smaller breaches happening each year in the United States. The TJ Maxx data breach cost the company more than $256 million. The cyber criminals stole more than 94 million credit and debit card numbers that were then used to buy millions of dollars of merchandise from other merchants. The hackers allegedly got into the TJX system through a wireless network. TJX did not have the upgraded and stronger protocols in place at that time that now exist.
A study of 350 companies in 11 countries released in 2015 by Ponemon Institute regarding the cost of data breaches determined that the consolidated cost of a data breach is $3.8 million. The study found that the average cost incurred for each lost or stolen record containing sensitive and confidential information averages $154. Health care, according to the study, is the industry with the highest cost per stolen record, averaging $363, and the average cost per stolen record for retailers jumped from $105 in 2014 to $165.
Liability and Responsibilities
Cyber liability is simply the financial cost your business could be liable for if you do not protect data and it is used for illegal purposes or results in a financial loss to the owner of this information. A data breach is defined in NH law as an unauthorized acquisition of computerized data that compromises the security of confidentiality of personal information maintained by a person doing business in the state. In the event of a data breach, you need to immediately assess the scope of the problem and the potential for misuse of data.
In accordance with the NH Right of Privacy Act (RSA 359-C) that was enacted in 1977 and amended in 2006, businesses are required to promptly determine the likelihood that information has been or will be misused, and to contact the NH Attorney General’s Office and report the extent of the breach. Notification provisions to affected individuals are triggered when misuse of date has occurred, is likely to occur or a determination of misuse cannot be made. New Hampshire law states notification must be made to affected parties “as quickly as possible” after a determination has been made about misuse. The penalty for not complying with the law can be substantial.
Cyber Liability Insurance
There are insurance products available to help businesses recover some of the costs associated with a data breach. These insurance products are in their infancy and have only been available for about 10 years. The coverage options continueto evolve along with the technology and circumstances of the breaches and data misuse. The demand for coverage has increased and is more readily available through insurance carriers.
The reason cyber liability coverage exists is because of incidents of unauthorized use or access to electronic data or software within a network or business. Cyber liability policies provide coverage for claims regarding viruses or malicious code, computer theft and extortion but also include coverage for unintentional acts, mistakes or omissions made by employees while performing their jobs. Ancillary coverage for business interruption and additional cost coverage is also available.
An important element in a cyber liability policy is the reimbursement of costs incurred complying with state and federal laws and with keeping customers safe from financial injury, including the cost for computer forensics, notification of affected individuals and one year mandatory credit monitoring.
Additional cost reimbursement is also available for public relations initiatives and loss of income due to negative publicity. This coverage is purchased with a maximum dollar limit paid for any one occurrence and a per occurrence deductible.
The cost of cyber liability coverage depends on a number of factors including the amount of coverage requested, the safeguards in place on the systems being insured and the size and complexity of the data being covered. Many business owners are not aware of the risk or that there is coverage available to minimize their liability.
Many divisions of the United States government require vendors or contractors to purchase and maintain some form of cyber liability coverage in their contract conditions, much like standard general liability insurance. The conventional wisdom is that in a few short years this coverage will be standard in all industries and a requirement to engage in most forms of commerce.
Judy Durst is director of education with the NH Association of Insurance Agents (NHAIA) in Concord and Will Infantine is president of Aspen Insurance Agency, LLC in Manchester and board chairman of NHAIA. Durst can be reached at 603-224-3965. Infantine can be reached at 603-647-0800. For more information, visit nhaia.com or aspen-ins.com.